Move borrow_as_ptr lint in the suspicious category

[GuillaumeGomez]

Part of #10872.

This lint should warn by default as it actually allows to uncover potentially problematic reference to pointer conversions. To do so, I moved it into the suspicious category. I also used this opportunity to extend its tests.

The second issue described in the issue doesn't seem to be covered by the current lint implementation though.

[rustbot]

r? @llogiq

(rustbot has picked a reviewer for you, use r? to override)

[bors]

☔ The latest upstream changes (presumably #10921) made this pull request unmergeable. Please resolve the merge conflicts.

[llogiq]

Sorry for taking so long to review. I worry about potential fallout for this lint, so r=me after rebase if lintcheck confirms it's not too bad.

[flip1995]

clippy 0.1.72 (9e3a8a9ec15 2023-06-05)

Reports

ahash-0.8.3/src/random_state.rs:142:39
anstyle-parse-0.2.2/src/lib.rs:180:26
arrayvec-0.7.4/src/array_string.rs:126:41
arrayvec-0.7.4/src/arrayvec.rs:760:14
arrayvec-0.7.4/src/arrayvec.rs:761:41
backtrace-0.3.69/src/backtrace/libunwind.rs:93:37
backtrace-0.3.69/src/symbolize/gimli/libs_dl_iterate_phdr.rs:15:47
bincode-2.0.0-rc.3/src/de/impl_core.rs:184:10
bincode-2.0.0-rc.3/src/de/impls.rs:454:23
bincode-2.0.0-rc.3/src/de/impls.rs:485:23
bindgen-0.68.1/clang.rs:495:20
bumpalo-3.14.0/src/lib.rs:339:43
bumpalo-3.14.0/src/lib.rs:343:32
bumpalo-3.14.0/src/lib.rs:349:32
byteorder-1.5.0/src/lib.rs:2002:27
byteorder-1.5.0/src/lib.rs:2016:27
byteorder-1.5.0/src/lib.rs:2107:28
byteorder-1.5.0/src/lib.rs:2119:28
byteorder-1.5.0/src/lib.rs:2188:27
byteorder-1.5.0/src/lib.rs:2198:27
byteorder-1.5.0/src/lib.rs:2285:28
byteorder-1.5.0/src/lib.rs:2297:28
core-foundation-0.9.3/src/number.rs:101:17
core-foundation-0.9.3/src/number.rs:115:17
core-foundation-0.9.3/src/number.rs:33:68
core-foundation-0.9.3/src/number.rs:42:68
core-foundation-0.9.3/src/number.rs:51:69
core-foundation-0.9.3/src/number.rs:60:69
core-foundation-0.9.3/src/number.rs:73:17
core-foundation-0.9.3/src/number.rs:87:17
crypto-bigint-0.5.3/src/uint.rs:143:16
crypto-bigint-0.5.3/src/uint.rs:152:20
form_urlencoded-1.2.0/src/lib.rs:414:47
futures-task-0.3.28/src/noop_waker.rs:52:17
half-2.3.1/src/binary16/arch/x86.rs:27:6
half-2.3.1/src/binary16/arch/x86.rs:36:6
half-2.3.1/src/binary16/arch/x86.rs:45:6
half-2.3.1/src/binary16/arch/x86.rs:54:6
half-2.3.1/src/binary16/arch/x86.rs:86:6
half-2.3.1/src/binary16/arch/x86.rs:95:6
hyper-1.0.0-rc.4/src/rt/io.rs:161:21
hyper-1.0.0-rc.4/src/rt/timer.rs:115:28
once_cell-1.18.0/src/imp_std.rs:218:18
openssl-0.10.57/src/aes.rs:206:13
openssl-0.10.57/src/aes.rs:245:13
openssl-0.10.57/src/pkey.rs:692:17
openssl-0.10.57/src/x509/mod.rs:1705:17
openssl-0.10.57/src/x509/mod.rs:1879:61
openssl-0.10.57/src/x509/mod.rs:1890:59
openssl-0.10.57/src/x509/mod.rs:864:9
percent-encoding-2.3.0/src/lib.rs:466:47
pest-2.7.4/src/iterators/pair.rs:385:9
pest-2.7.4/src/iterators/pairs.rs:475:9
redox_syscall-0.4.1/src/flag.rs:252:17
rustix-0.38.17/src/ioctl/patterns.rs:147:9
sha2-0.10.8/src/sha512/x86.rs:131:39
signal-hook-0.3.17/src/low_level/pipe.rs:178:41
siphasher-1.0.0/src/sip128.rs:675:38
siphasher-1.0.0/src/sip128.rs:676:38
subtle-2.5.0/src/lib.rs:241:34
subtle-2.5.0/src/lib.rs:570:20
thread_local-1.1.7/src/lib.rs:232:17
thread_local-1.1.7/src/lib.rs:443:32
tracing-subscriber-0.3.17/src/filter/layer_filters/mod.rs:762:51
tracing-subscriber-0.3.17/src/filter/layer_filters/mod.rs:763:51
tracing-subscriber-0.3.17/src/filter/layer_filters/mod.rs:765:22
tracing-subscriber-0.3.17/src/fmt/fmt_layer.rs:984:50
tracing-subscriber-0.3.17/src/fmt/fmt_layer.rs:985:50
tracing-subscriber-0.3.17/src/fmt/fmt_layer.rs:986:50
tracing-subscriber-0.3.17/src/layer/mod.rs:1650:18
valuable-0.1.0/src/named_values.rs:75:49
wasm-bindgen-0.2.87/src/closure.rs:284:22

Stats:

lint	count
clippy::borrow_as_ptr	72

---

I didn't go through any of those to see if they are legit or FPs.

[GuillaumeGomez]

ahash:

// src/random_state.rs:142
counter: AtomicUsize::new(&PI as *const _ as usize),

anstyle-parse:

// src/lib.rs:180
let params = &slices[..num_params] as *const [MaybeUninit<&[u8]>] as *const [&[u8]];

arrayvec:

// src/array_string.rs:126
.copy_to_nonoverlapping(&mut vec.xs as *mut [MaybeUninit<u8>; CAP], 1);
// src/arrayvec.rs:760
(&*array as *const [T; CAP] as *const [MaybeUninit<T>; CAP])
// src/arrayvec.rs:761
.copy_to_nonoverlapping(&mut vec.xs as *mut [MaybeUninit<T>; CAP], 1);

backtrace:

// src/backtrace/libunwind.rs:93
uw::_Unwind_Backtrace(trace_fn, &mut cb as *mut _ as *mut _);
// src/symbolize/gimli/libs_dl_iterate_phdr.rs:15
libc::dl_iterate_phdr(Some(callback), &mut ret as *mut Vec<_> as *mut _);

bincode:

// src/de/impl_core.rs:184
(&array as *const _ as *const [T; N]).read()
// src/de/impls.rs:454:23
let ptr = &mut buf as *mut _ as *mut [T; N];
// src/de/impls.rs:485:23
let ptr = &mut buf as *mut _ as *mut [T; N];

bindgen:

// clang.rs:495
let data = &mut visitor as *mut Visitor;

bumpalo:

// src/lib.rs:339
data: unsafe { NonNull::new_unchecked(&EMPTY_CHUNK as *const EmptyChunkFooter as *mut u8) },
// src/lib.rs:343
NonNull::new_unchecked(&EMPTY_CHUNK as *const EmptyChunkFooter as *mut u8)
// src/lib.rs:349
NonNull::new_unchecked(&EMPTY_CHUNK as *const EmptyChunkFooter as *mut ChunkFooter)

byteorder:

// src/lib.rs:2002
let bytes = *(&n.to_be() as *const u64 as *const [u8; 8]);
// src/lib.rs:2016
let bytes = *(&n.to_be() as *const u128 as *const [u8; 16]);
// src/lib.rs:2107
*n = *(&int.to_be() as *const u32 as *const f32);
// src/lib.rs:2119
*n = *(&int.to_be() as *const u64 as *const f64);
// src/lib.rs:2188
let bytes = *(&n.to_le() as *const u64 as *const [u8; 8]);
// src/lib.rs:2198
let bytes = *(&n.to_le() as *const u128 as *const [u8; 16]);
// src/lib.rs:2285
*n = *(&int.to_le() as *const u32 as *const f32);
// src/lib.rs:2297
*n = *(&int.to_le() as *const u64 as *const f64);

I'm stopping here since they all seem to be the same. Based on that, what do you want me to do?

[llogiq]

That is more fallout than I expected. It appears the pattern is pretty common. So even if the lint offers a valid and worthy suggestion, I think we should at least be careful how we communicate the benefits. "Better readability" is not a good reason to put errors or warnings into many Rustacean's CI builds.

So I'd like a second opinion on this before merging. cc @rust-lang/clippy

[Manishearth]

Yeah this is still quite tricky. I don't see this being a positive change at the time, there are legit risks around materializing references where you shouldn't, but if you're in a situation where you should, it doesn't really seem more readable to me.

[xFrednet]

The current group is pedantic, which seems reasonable to me, as it seems to be a used pattern. I generally assume that bigger projects conscious of these kinds of problems use #![warn(clippy::pedantic)] in the root of their projects.

[llogiq]

I also think that we must weigh the cost and benefits here, and the scale currently doesn't tip in favor of making the lint suspicious. If we somehow manage to restrict the lint to only warn on actually problematic cases, it would probably even warrant a correctness lint. Unfortunately detecting such cases is much harder than what the lint currently does.

[GuillaumeGomez]

Let's close it then! Thanks for your feedback everyone.